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Abstract. We propose a cipher similar to the One Time Pad and McEliece cipher based on 
a subband coding scheme. The encoding process is an approximation to the One Time Pad 
encryption scheme. We present results of numerical experiments which suggest that a brute 
force attack to the proposed scheme does not result in all possible plaintexts, as the One 
Time Pad does, but still the brute force attack does not compromise the system. However, 
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1. Introduction 



u 

^ I In this paper, we propose a private key cipher, the idea for which comes from frame theory 

and multiple access communications. The cipher has similarities to the Hill cipher, the One 
Time Pad, and the McEliece cipher |Menezes et al. 19971 IChabaud 1995] . Indeed, one of the 
design goals for our cipher is to approximate the One Time Pad. 
(N) | Our design goals include the following: 

q . 1. Include randomness in the encryption process; 

| 2. Require the key be shared only once; 

3. Use a relatively small key size; 

4. Computationally fast; 

""^5 ■ 5. Robust to brute force attacks. 

O • 

Our proposed cipher implements items 1-4 above; the purpose of the present paper is to give 
some demonstration of item 5. We remark here that 5 is not sufficient for the cipher to be 
a good one, but certainly is necessary. We will demonstrate that this cipher is vulnerable to 
a chosen-plaintext attack. It is unknown if this cipher is robust against a known-plaintext 
attack. 

Our cipher can be described as follows: consider a communications channel; we divide 
the channel into two subbands, one which will carry the message, and the other which will 
carry noise, or as we call it in this paper, garbage. The message, along with the garbage 
is transmitted over the channel; the recipient then filters out the garbage, leaving only the 
message. This procedure is carried out using orthogonal frames. The procedure requires the 
construction of orthogonal frames; the easiest way to do this is using Fourier frames (also 
called harmonic frames). However, as will be described, these frames are not good for our 
purposes here, and so we present several alternative methods for constructing orthogonal 
frames. 
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The paper is organized as follows. In Section El we give a short introduction to frames, 
and in particular orthogonal frames. In Section El we give an account of several methods for 
constructing orthogonal frames, with remarks regarding our design goals. In Section 0J we 
present the results and conclusions of our numerical experiments and the chosen-plaintext 
attack. In the Appendix, we provide psuedocode to describe the experiments. 

2. Introduction to Frames 

Frames for Hilbert spaces are being used in many signal processing applications such as 
sampling theory, multiple access communications, etc. Frames provide redundancy via over- 
completeness, where bases do not, and it is this redundancy that makes them advantageous to 
use in these settings. In this paper, we will utilize this redundancy of frames for the purpose 
of encryption. 

Let H be a Hilbert space over the field F with scalar product (•, •) and norm || • ||, where 
F denotes either M or C. A frame for if is a sequence X := {x n } n< zi such that there exist 
constants < A < B < oo such that for all v G H, 

(1) A\\vf<J2\(v,Xn)\ 2 <B\\vf. 

Clearly, a frame spans the Hilbert space. Moreover, {x n } defines the following frame operator 

S% : H -»• H : v i-» ^(f , x n )x n 

which is positive and invertible. Define {x n } C H, the standard dual of {x n } by x n := x n , 
then for all v G H, 

V = /A V > X n)Zn = y^,X n )x n . 

If A = B = 1, the frame is said to be Parseval, and then for all v G H, 

v = y^(t;,x n )x n . 

For elementary frame theory, sec [Han et al. 20001 ICasazza 200(1] . 

If H is finite dimensional (H will always be assumed to be so from here on, unless 
specifically stated), then a frame sequence (possibly finite) is any spanning set {x n } such 
that ^2 n&z \\x n \\ 2 < oo. If only a finite number of x n 's are non-zero, then {x n } is a finite 
frame, and we will discard those that are zero. See [C et al. 20011 IDykema et al. 2003| 

IBenedetto et al. 20 03 for more on finite frames. 

For convenience of notation, we make the following definition. 

Definition 1. An n x n real matrix, M, is an orthogonal matrix if M T M = kl n for some 
constant k. 

The (finite) Parseval frames in H are characterized by the following proposition. 

Proposition 1. Let {x n }^ =1 C H, where H has dimension N . The following are equivalent: 

1. {x n } is a Parseval frame for H ; 

2. the M x N matrix whose ith row is Xi (as a row vector) has columns which are or- 
thonormal; 
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3. there exists a Hilbert space K of dimension M — N and vectors {y n }^f =1 C K such that 
the M x M matrix formed by 

( Xi I V\ \ 



\ xm I Vm J 



is a unitary matrix. 



Here we write the vectors Xi and yi as row vectors with respect to any orthonormal bases 
for H and K, respectively. 



Proof. The proof of the equivalence of 1 and 2 is in [Benedetto et al. 2003| . The proof of 
the equivalence of 1 and 2 is, for infinite frames, contained in [Han et al. 20001 Corollary 1.3, 
Theorem 1.7]. The case for finite frames is analogous. □ 

Remark 1. Another way to view Proposition ^ is that {x n } is a Parseval frame for H if 
and only if {x n } is the inner direct summand of an orthonormal basis {x n © y n } for some 
superspace H © K of H. 

Definition 2. Two frames {x n }^ =l C H and {y n }n=\ c K are orthogonal if for all v e H , 

J2n=l( V > X n)Vn = 0. 

Proposition 2. Suppose {x n }^ =l C H and {y n }n=i c K are Parseval frames; they are 
orthogonal if and only if 



( xi | y x \ 



\ xm I Vm j 
has columns which form an orthonormal set. 



(P\Q) 



Proof. (<=) Consider the two matrices P and Q whose rows are {x n } and {y n }, respectively. 
A straight forward computation demonstrates that for v G H, 



Al 



(2) 



^2{v,x n )y n = Q*Pv, 



n=l 



where Q* is the conjugate transpose of Q. It follows that if the above matrix has orthonormal 
columns, then Q*P = 0, and thus the frames {x n } and {y n } are orthogonal. 

Conversely, suppose the Parseval frames are orthogonal. Note that by Proposition 1, 
the left part P of the above matrix has orthonormal columns; likewise the right part of the 
matrix Q also has orthonormal columns. By equation (|2"|L we must have that the columns 
of the left part of the matrix are orthogonal to the columns of the right part of the matrix. 
Hence, the columns of the matrix form an orthonormal set. □ 

Note that if {x n } is orthogonal to {y n }, then {y n } is orthogonal to {x n }. 
Let X := {x n }^ = i C H; the analysis operator X of {x n } is given by: 

6 X : H -> F M : v h-> ((v,Xi), (v,x 2 ), (v,x M ))- 
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The matrix representation of ©x is given as the matrix P in Proposition 121 The proof 
of Proposition |2] shows that two frames {x n } and {y n } are orthogonal if and only if their 
analysis operators X and 0y have orthogonal ranges in F M . 

2.1. Encryption Using Orthogonal Frames. We present here an overview of our proposed 
private key encryption scheme using orthogonal frames. For motivation, consider that the 
One-Time Pad is an unconditionally secure cipher, which is optimal of all unconditionally 
secure ciphers in terms of key length [IMenezes et al. 1997j . Our encryption scheme, which 
is similar to a subband coding scheme, is an effort to approximate the One-Time Pad. The 
(private) key for this encryption scheme is two orthogonal Parseval frames {x n }^f =1 C H and 
{yn\n=x c K- Let 6 X and 0y respectively denote their analysis operators. Suppose m G H 
is a message; let g G K be a non-zero vector chosen at random. The ciphertext c G F is 
given as follows: 

c := 6 x m + <S>y9- 

To recover the message, we apply 

e* x c = e^e x m + e* x o Y g 

M M 

= 22(m, x n )x n + y](m, y n ) 

X n 

n=l n=l 

= m + = m. 

There are several things to note about our scheme: 

1. The frame {x n } need not be Parseval, but Parseval frames are in general easier to work 
with. Since the Parseval frames form only a small subset of all possible frames, using 
general frames would allow a much greater choice of specific encryption keys. 

2. The frame {y n } need not be Parseval; it need not even be a frame, though again Parseval 
frames simplify matters. If {y n } is not a frame, then 0y has non-trivial kernel, and 
Oy9 could be if g is chosen to be in the kernel. (Below we will actually use scalar 
multiples of Parseval frames for both {x n } and {y n }-) 

3. Just as with the One-Time Pad, when done properly, encoding a message twice results 
in two different ciphertexts. 

4. Unlike the One-Time Pad, in which a brute force attack results in all possible plaintexts, 
it appears unlikely that a brute force attack on our system would result in the same. 
Our simulations indicate that an attack produces either a text which is very close to 
the original plaintext or is gibberish (see graphs below for more.) However, at this 
time, we cannot prove why this is so. 

Proposition 3. // {x n }*£ 1 C H and {y n }n=i c K are orthogonal frames, then M > 
dim(H) + dim(K). 

Proof. Let Bx and Oy be the respective analysis operators. Note that by the (lower) frame 
inequality in equation ^ both Gx and ©y are one-to-one. Moreover, the orthogonality of the 
frames is equivalent to the orthogonality of the ranges of Bx and Oy. Combining these two 
observations establishes the proposition. □ 

For convenience, we will assume that M = dim(H) + dim(K). The ciphertext is 

c = O x m + Q Y g 
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where {x n } and {y n } are orthogonal Parseval frames. Since they are orthogonal, we write 

c= (0 x |e Y )m©# 

where the matrix (0 x |©y) is an isometry. Therefore, our encryption procedure involves 
generating a large orthogonal matrix. 

The next section discusses several ways of constructing such matrices. Since the encryption 
scheme is a private key system, we wish to have a relatively small key size; that is to say that 
the entire matrix is too much information to be used as the key. We discuss below some of 
the strengths and weaknesses of the various construction techniques. 

3. Five Encryption Schemes 

The cipher algorithm depends upon generating a pair of random orthogonal frames, each 
of which is the size of the message. This is equivalent to producing a random orthogonal 
matrix of twice the size of the message. We investigate here several methods for doing so. 
The first method takes the view of producing orthogonal frames using Fourier frames. The 
remaining methods take the view of producing orthogonal matrices. 

Once the orthogonal frames, or orthogonal matrix, is determined, the encryption and de- 
cryption process is the same. If the frames are given by X and Y, then we write the matrix 
(©x|©y); if on the other hand the matrix is A, we think of A = (0 x |0y)- Given a message m, 
choose at random a vector g, called the "garbage" or "noise", and compute (Ox\®Y) m ®9 = c 
to yield the cipher text c. The recipient computes 

(e x |e Y ) T c = (e x |e Y ) T (e x |e ¥ )m © g = Km © o = Km, 

where K is the square of the norm of any column of the matrix X . Dividing by K then 
reproduces the message. 

3.1. Scheme #1. The first algorithm utilizes the Discrete Cosine Transform. The original 
idea came from using the Discrete Fourier transform, which involves complex exponentials. 
The Discrete Cosine Transform, in matrix form, is given by: 

C = [c kn ] = 

where n — 1, . . . , M, Ai = 1/ v2 and A& = 1 for all k — 2, . . . , N. Note that this is normalized 
to be a unitary matrix. Assuming that M = 2N, one can permute the columns of C to yield 
C, and divide the resulting matrix in half vertically: 

a = (e x |e ¥ ). 

The resulting divided matrix can then be viewed as the analysis operators for two orthogonal 
frames, each for R , consisting of cosine bases projected onto smaller subspaces, (Proposition 
El see also |Aldroubi et al. 2002| ). Moreover, the frame vectors can be weighted, which is 
accomplished by a diagonal, invertible matrix D. Let P denote a permutation matrix. 

The (private) key for the cipher then consists of the matrix D (or simply its diagonal 
entries), and the permutation corresponding to P. The encryption algorithm of a message m 
of length iV then consists of randomly generating a garbage vector g G M> N and computing 
the ciphertext c: 

c = CDP{m@g). 



Afc /l C ° S {S (n + 1/2) } ' 
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To decrypt the message, we apply the matrix QP T D X C T to the ciphertext, where Q is the 
projection of M. M onto the first N co-ordinates: 

QP T D- 1 C T CDP(m ®g)= Q(m © g) = m. 

Remark 2. We note that the only knowledge unknown to an adversary is D and P; the 
adversary will know C . Hence, C is irrelevant to the cipher algorithm. Because of this, the 
algorithm reduces to rearrangement followed by weighting of the entries of the message and 
the garbage. We conclude that our first algorithm is a poor one. 

3.2. Scheme ^2. The second scheme involves using Hadamard arrays to generate orthogonal 
matrices. We first start with the definition of Hadamard arrays. We remark here that this 
scheme is related to linear codes [Delsarte et a l. 1969J. 

Definition 3. Wallis 19 72J A Hadamard array H[h, k, A] based on the indeterminates X\, x%, . . 
with k < h, is an h x h matrix with entries chosen from {±xi, ±^2, . . . , ±£/c} in such a way 
that: 

1. In any row there are A entries ±x\, A entries ±X2, . . . , A entries ±a;&, and similarly 
for the columns. 

2. The rows and columns are (formally) pairwise orthogonal, respectively. 
The matrices we use for our encryption scheme are of h — k, A = 1. The only possible 



lhe matrices we use for our encryption scheme are of a — k, A = 1. lhe only possible 
Hadamard arrays of this type are for h = 1,2,4,8 Agaian 1985 . For indeterminants A 
through H, we have the Hadamard array 



#[8,8,1] 



■ A 


B 


C 


D 


E 


F 


G 


H ' 


-B 


A 


D 


-C 


F 


-E - 


-H 


G 


-C 


-D 


A 


B 


G 


H 


-E 


-F 


-D 


C 


-B 


A 


H 


-G 


F 


-E 


-E 


-F 


-G 


-H 


A 


B 


C 


D 


-F 


E 


-H 


G 


-B 


A - 


-D 


C 


-G 


H 


E 


-F 


-C 


D 


A 


-B 


-H 


-G 


F 


E 


-D 


-C 


B 


A 


= Kh 


where K = 


A 2 4 


B 2 + -- 


■ + H 2 







For 9 = #[8,8,1], 6 T 
The Hadamard arrays allow easy construction of matrices (and hence tight frames) needed 
in our encryption schemes. For the encryption process, we now have only to construct 
instead of computing the matrices C, D, and P. 

The encryption process starts with a message m of arbitrary length, and dividing m into 
of length 4 (padding the last block with O's if necessary). Then random 

~ 9i- 



blocks mi, . . . , m q 

vectors gi, . . . , g q of length 4 are chosen, and the matrix N is applied successively to m 
The ciphertext is then 

c = e(mx © g x ) © • • • © @(m q © g q ). 



The message is then decrypted by dividing c into blocks Ci, 



c q of size 



computing 



KQ 1 Ci for i = 1, 
resulting blocks. 



q, and reconstructing the message using the first four entries of these 



Remark 3. Because of the ease of construction of the Hadamard arrays, the system is quite 
easy to implement. Unlike the first scheme, the key for the recipient has now been reduced 
to knowing the chosen entries for 0, hence in this case the key is the entries A, B, . . . , H of 
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the matrix G. Since Hadamard arrays are small, however, we wish to find an algorithm to 
generate larger orthogonal matrices. 

3.3. Scheme # 3. Our next scheme is an attempt to produce larger orthogonal matrices. 
Starting with Hadamard arrays A and M with A T A = kl$ and M T M = pis for constants k 
and p, we construct a new 16 x 16 orthogonal matrix 

A MA 
-M T A A 



S 



Repeat this procedure with Hadamard arrays B and N to get 

rp _ \ B NB 
1 ~ [-N T B B ■ 

The matrices S and T are then used to construct a 32 x 32 orthogonal matrix: 

r s ts 

U - [-T T S S _ ' 

This "blow up" construction is iterated to get the appropriate size matrix for our plain text. 

Remark 4. In this encryption scheme, the key is the entries of the matrices A, B, M, N, etc., 
and their positions in the construction. This method, however is computationally inefficient. 



3.4. Scheme #4. We first define the tensor product, 
sizes of the matrices is irrelevant. 



of two matrices, A and B. The 



Definition 4. (van Lint 1992] Let 



A 



Then 



A®B:-- 



a ll a 12 



a\\B O12-B 



a m \B a m 2B 



a ln 



ai n B 



,B 



If A is an m x n and B is a p x q, then A (g> B is an mp x nq matrix. The tensor product 
will be the critical element of construction in this and the next scheme. Note that if A and 
B are orthogonal matrices, then A ® B is also an orthogonal matrix. 

Definition 5. A Hadamard matrix is a square orthogonal matrix with entries consisting of 
±l's. 

We start with an Hadamard matrix (not an array), H, of a chosen size 2 P , and then two 
Hadamard arrays, A and B of choice sizes 2,4, or 8. We then construct the new matrix via 
the tensor products: 

H® A (H®B)(H®A) 
-{H ® B) T (H ® A) H®A 

C is now an orthogonal matrix. This matrix is size adaptive with respect to powers of 2 since 
each matrix is of some order of 2, and the size of H can be chosen. 



C 
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However, the Hadamard matrix property that H T H = I n is actually a disadvantage. Let 



1 


1 


1 


1 


1 


-1 


1 


-1 


1 


1 


-1 


-1 


1 


-1 


-1 


1 



Then our matrix is 





C = 




H®A 




®B)(H®A)~ 












®B) T {H 


® A) 


H® 


A 






A 


A 




A 


A 1 


ABA 











A 


-A 


A 


-A 





ABA 








A 


A 




-A 


-A 








ABA 





A 


-A 


-A 


A 











ABA 


AB T A 













A 


A 


A 


A 





-AB T A 








A 


-A 


A 


-A 










-AB T A 





A 


A 


-A 


-A 













■AB T A 


A 


-A 


-A 


A 



The resulting matrix is relatively sparse, which is undesirable for maintaining secrecy. 



3.5. Scheme #5. We choose p Hadamard arrays Hi, H 2 , . . . , H p . Each array can have its 
own size, say t{ x e« for 1 < i < p, where each is either 2,4, or 8. We then construct our 
e i e 2 • • • e p -sized matrix M by the tensor product of these p matrices: 

v 

M = (g) Hi := Hi <g> H 2 ® ■ ■ ■ ® H p . 

i=i 

The ciphertext then is c = M(m ®g). With this construction, we eliminate the sparsity that 
was shown in scheme #4. Note that the key in this case is the entries of the first rows of Hi 
to Hp, hence is an array of numbers of size e\ + e 2 + ■ ■ ■ + e p , and hence is relatively small. 

We ran some numerical experiments, using scheme #5 to obtain information regarding 
several things: 

1. We wanted to see if a brute force attack would be a feasible way of defeating the 
cipher. The results of the experiments and also the computations below suggest that 
the answer is no. 

2. One advantage of the One Time Pad is that a brute force attack results in all possible 
plaintext messages, forcing an adversary to choose which was the original message. We 
wanted to determine if this was also true of our proposed cipher. The results of our 
experiments indicate that the answer to this is also no. 

3. Finally, we wanted to determine if the size of the entries of the garbage vector g 
mattered. The experiments and the computations below suggest that the answer is 
yes. 

The results of our experiments, in the form of graphs, are given below. 
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4. Experimental Results and Conclusions 



We want to know how accurate a guess has to be in order to break the cipher. We suppose 
that an adversary knows that we are using scheme #5, that is the adversary knows the 
structure of the matrix M, but not the entries. We let M be the original matrix of size n, M 
be the adversary's guess, and w be the original plaintext m concatenated with the garbage 
g (i.e. w = m © g). Then we consider w := (l/k)M T Mw where k = ||M|| 2 . Since we 
assume that the structure of M is known by the adversary, we consider M = M + P, where 
P is a matrix with the same structure as M. For simplicity, we let Mj denote the ith row 
of the matrix M and likewise for P. Note that k = (Mi, Mi) since (l/k)M T M = I n , and 
k = (Mi,Mi) = (Mi + Pi,Mi + Pi) = ||M l || 2 + 2(M J ,P,) + ||P J || 2 . 

We rewrite to get the following: 



{l/k)M T M = (k/k)I + (l/k)P T M 
(M h Mi) 



(Mi + P h Mi + Pi) (Mi + P h Mi + Pi) 



L(Pl MJ) 

Let w = (wi, W2, • • • , w n ) . Then we have that for 1 < j < n: 
( 

(PJ,MJ) + (M ] ,M ] ) 



(PI, Ml) 
(PL Ml). 



Wj 



\ 



w 



(M j + P V M 3 +Pf ' 



\ 



+ E 

i = 1 

* ^3 



(PjiMl) 



(Mi + P h Mi + P t 



-Wi 



For an adversary's guess to be close, 



(PJ,MJ) + (M ,M 3 ) 



(M 3 + P 3 ,M 3 +P 3 ) 



and 



E 

i = 1 



(PL Ml) 



(Mi + P h Mi + P t \ 



0. 



We break this up into cases. 

Case 1: Assume ||P|| is relatively large compared to ||M||; that is, the guess is far from the 
actual matrix. We have 

(PL Ml) (PL Ml) 



(Mi + Pi, Mi + Pi) 



\Mi\\ 2 + 2(Pi, Mi) + \ \Pi\ 



(pLMD/m 


12 


i\\Mi\ 


vim 


\*) + (2(Pi,Mi)/\\Pi\ 


| 2 ) + 1 



as IIPI 



oo. 



However, when we look at the Wi coefficients, we see the following: 



(Ma. Ma) 



((Mi.MMWPi 
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Case 2: We assume ||P|| is small relative to ||M||; that is, the guess is close. Then we have 
using the same arguments: 

(Mi + P h Mi + Pi) 



(PI, Mi 


)/m\ 


12 


l + (2(Mi,Pi)/\\Mi\ 


\ 2 ) + m\ 


\ 2 /\\Mi\ 


I 2 ) 



as \ \Pi\ \ -> 0. 



So, the better the guess, the smaller the 'extra' coefficients will be. Likewise, for the 
Wj coefficients, 



(Mj, Mj) 






(MjiPj) 




\\M j \\^ + 2(M j ,P j ) + \\P j \\^ 



1 

1 + (2(M,,P,)/||M,|P) ^WWJWW) 
Our first question is whether an adversary can figure out how small the perturbation P 
must be in order to get a "good guess". The adversary knows the size of M and ||Mw||; 
we assume additionally that the adversary knows the structure of M. For convenience, 
assume that the encryption matrix M = A <g> B <g> C for 3 Hadamard arrays, A, B, and 
C. We then let M — (A + a) <g> (B + b) <g> (C + c) for (small norm) perturbation matrices 
a,b and c. We reformulate our question: How big can ||a||,||fe|], and ||c|| be such that 
| \M T Mw — M T Mw\ | < e, where e is some acceptable tolerance for error? (Here, for a matrix 
A, \\A\\ denotes the operator norm of A. Below, || • || shall denote both Hilbert space norm 
for vectors and operator norm for matrices.) 

We let ||a|| « w ||c|| w (3 and \\A\ \ \ \B\\ ||C|| w 7. We may assume that 7 » (3. 
If we write out M in terms of the tensor products, we get 

M = A® B ®C + A®B ®c + • •• + a®b®c and||M||<7 3 + 3-f 2 [3 + 3-f(3 2 + (3 3 . 

Given any e > 0, we choose 5 = e/||Mit;||. If 1 3^/ 2 /? | < 5, then 

\\M T Mw -M T Mw\ \ < \ \M T - M T \\\\Mw\ \ < (3 7 2 /5 + 3 7 /3 2 + [3 3 )\\Mw\\ 

w 3(7 2 /3)||Mw|| < 8\\Mw\\ = e. 

These computations suggest that the larger the entries of the garbage vector g are, the 
closer a guess must be in order to reasonably recover the message. This is corroborated 
by the experiments we ran (see the graphs below). Thus, we can control the accuracy an 
adversary would need in order to break the cipher. 

4.1. Chosen-Plaintext Attack. We will demonstrate here a chosen-plaintext attack on the 
cipher which will break the system. A chosen-plaintext attack is an attack mounted by an 
adversary which chooses a plaintext and is then given the corresponding ciphertext. 

Theorem 1. The encryption algorithm proposed above is vulnerable to a chosen-plaintext 
attack. 

Proof. We assume the adversary knows the length of the message band and subsequently the 
length of the noise band. Let the length of the message band be N m and the length of the 
noise band be N„. The attack is as follows: 



{Pj 1 Mi) 
M i \\ 2 + 2(M l ,P t } + \\P t 



1 as 11^-11 -> 0. 
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Step 1. Determine the range of the noise band K of 0. That is, determine (©x|@y)(0 © M. Nn ). 
Choose any plaintext m of size N m . Encode the plaintext twice, with output, say, eo 
and e\. Compute e\ — e = 0(m©(?i) — Q(m©g ) = 0(0© — 0©g )- Notice that this 
yields a vector fi = 0(0 © g\ — © g ) in the range of the noise band of 0. Encode the 
plaintext a third time, with output e 2 , and compute f 2 = e 2 — e . Compute f 3 , . . . , f m 
until the collection {/i, . . . , / m } contain a linearly independent subset of size N n . This 
determines the range of the noise band K of 0. 

Step 2. Determine the range of the message band T of 0. That is, determine what is (QxIQyXIR^" 1 © 
0). Choose any plaintext m\ of size N m ; encode the plaintext, with output e\\ then 
project ei onto the orthogonal complement of K. This yields a vector x\ in T. Choose 
another plaintext m 2 and repeat, yielding vector x 2 € T. Repeat until the collection 
{x 1: . . . ,x q } contains a linearly independent subset of size N m . This set determines T. 

Step 3. Determine the message part of 0. That is, determine ©x- Suppose in Step 2, {mi, . . . , m Nm } 
is such that {x\, . . . ,XN m } is linearly independent. If we write = (Ox|@y), then we 
now have the following system of equations: 

(0x|0Y)^fc © = x k for k = 1, . . . N m . 

Given this system of equations, now solve for ©x- 
Step 4. Unencode ciphertexts. Given any ciphertext e, the adversary computes the following: 

K-\Gx\0) T e = K-\e x \0) T (e x \e Y )m © g 
= m 

where K is the square of the norm of any column of ©x- 

□ 

4.2. Concluding Remarks. The proposed cipher appears to be robust to brute force at- 
tacks, but is not robust against a chosen-plaintext attack. We mention, however, that we do 
not know if the scheme is robust to a known-plaintext attack. Moreover, this is a private 
symmetric key cipher; it would be desirable if this method could be altered to be used as a 
public key cipher. We reiterate that the McEliece cipher is a public key system and is similar 
in flavor to the cipher presented here. 

The ultimate downfall of the cipher is the linearity. We suggest that perhaps there is 
possibly a way of introducing non-linearity into the algorithm to defeat a chosen-plaintext 
attack. However, at this point, we know of no methods to accomplish this. 

5. Pseudo-Code 

5.1. Encoder. cpp. 

1. Calculate Matrix 

(a) Input the possible range of entries for A, B, C 

(b) Make A, B, C either 4x4 or 8x8 Hadamard arrays with entries chosen randomly 
from the range (for simplicity, we are using the 4x4 Hadamard array) 

(c) Compute tensor product A © B © C 

2. Encode Message 
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(a) Compute m © g by converting the message to ASCII and filling g with random 
numbers 

(b) Compute (A <g> B <g> C)(m ® g) 

5.2. Hacker. cpp. Hacker. cpp-this code attempts a brute force method on a cypher text. 

f . Input min, max, range of key guesses 

2. Input ciphertext 

3. For all possible values of the twelve variables in use 

(a) Fill the matrices with the possible values 

(b) Tensor matrices together 

(c) Calculate possible text messages 

(d) Output text to file for later examination 

5.3. Analyzer. cpp. This code takes the output of Hacker. cpp and calculates the frequency 
of occurrence of every ASCII symbol. 

1. For each line of text, count number of appearances of each ASCII value 

2. Output information to text file 
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6. Graphs 

How to read the following graphs. We carried out the following computations to simulate 
a brute force attack on the cipher: 

1. for a sample plaintext, encode the plaintext using scheme #5 making the following 
choices: approximate entry size for the matrices and approximate size for the garbage 
entries; 

2. decode the ciphertext using every combination of key entry and key entry ±1; 

3. converted the decoded ciphertext in the previous step to ASCII values; 

4. counted the appearance of each value in the resulting combinations. 

The graphs represent the number of appearances within all possible key guesses from step 2 
above. The plaintext is given in the title of the graph; the ASCII values are the x-axis of the 
graph, and the approximate key sizes and garbage sizes are given in the graph captions. 

Note that in figures 3 and 7, the key size and garbage size are the same. The graphs show 
that most of the characters that appear in the simulated brute force attack are those that 
are in the original message. 
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FIGURE 1. Key: 5-7; Garbage: 128 



Character Values (ASCII) 



Figure 2. Key: 25-27; 
Garbage: 128 



Same Old boring message, yet again 3 



Character Values (ASCII) 



Figure 3. Key: 100-102; 
Garbage: 128 



Figure 4. Key: 5-7; Garbage: 1000 



leOld Soring message, yet again II 



A 



Character Values (ASCII) 



Figure 5. Key: 
Garbage: 1,000 



leOld Soring message, yet again 13 



25-27; 



Character Values (ASCII) 



Figure 6. Key: 100-102; 
Garbage: 1,000 
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ring message, yet again 



Same Old Boring Mes 



Character Values (ASCII) 



Figure 7. Key: 1,000-1,002; 
Garbage: 1,000 



Same Old boring message, yel again 21 




Character Values (ASCII) 



Figure 8. Key: 5-7; Garbage: 100,000 



Same Old Boring Mes 




V v 



v v V 



Character Values (ASCII) 



Figure 10. Key: 100-102; 
Garbage: 100,000 



Same Old Boring Mes 



Character Values (ASCII) 



Figure 11. Key: 1,000-1,002; 
Garbage: 100,000 



Character Values (ASCII) 



FIGURE 9. Key: 25-27; 
Garbage: 100,000 
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